White testing WebRTC, I noticed that TLS connection from Chrome browser 85.0.4183.121 to Kamailio's (master version) TLS listening port fails.
Chrome sends Client Hello and K responds with Server Hello. After that Chrome terminates the handshake by sending TCP FIN.
Connection setup from Firefox works fine. After receiving Server Hello, is sends Change Cipher Spec, etc.
My K is using Let's Encrypt server certificate and is server tls_method is TLSv1.2+.
Any ideas what goes wrong? Has anyone else experienced this?
-- Juha
Simple way to show this problem without any WebRTC SIP client is to point Chrome browser to K's TLS listening port:
https://<sip proxy>:5061
and look with wireshark or tshark how the handshake gets terminated by Chrome right after Server Hello.
The same with Firefox works fine.
-- Juha
Hi Juha,
Interesting. Does e.g. 5.4 still works for you? Might be then a regression in trunk.
Cheers,
Henning
Hello Juha,
https://lists.kamailio.org/pipermail/sr-users/2013-March/077235.html may contain a helpful workaround,
Jeff
On Fri, Oct 16, 2020, 11:14 AM Juha Heinanen jh@tutpro.com wrote:
Henning Westerholt writes:
Interesting. Does e.g. 5.4 still works for you? Might be then a regression in trunk.
Same problem with 5.4.
-- Juha
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Jeff Bilyk writes:
https://lists.kamailio.org/pipermail/sr-users/2013-March/077235.html may contain a helpful workaround,
Jeff,
Thanks for your reply. I do have
tcp_accept_aliases=no
and this problems appears before event_route [xhttp:request], that is, already during TLS handshake.
-- Juha
What I wrote in below, is not correct.
(1) Pointing Chrome to
https://<sip proxy>:5061
does result in successful handshake:
Oct 17 17:53:06 lohi /usr/bin/sip-proxy[13274]: INFO: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL handshake started Oct 17 17:53:06 lohi /usr/bin/sip-proxy[13274]: INFO: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL handshake started Oct 17 17:53:06 lohi /usr/bin/sip-proxy[13274]: INFO: tls [tls_domain.c:763]: sr_ssl_ctx_info_callback(): SSL handshake done Oct 17 17:53:06 lohi /usr/bin/sip-proxy[13274]: INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 192.168.43.159:43874 using TLSv1.3 TLS_AES_256_GCM_SHA384 256
(2) But when JsSIP TryIt app tries to connect to K at the same port, it does not result in SSL handshake done, but a series of trials:
Oct 17 17:55:20 lohi /usr/bin/sip-proxy[13274]: INFO: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL handshake started Oct 17 17:55:23 lohi /usr/bin/sip-proxy[13274]: INFO: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL handshake started Oct 17 17:55:25 lohi /usr/bin/sip-proxy[13274]: INFO: tls [tls_domain.c:751]: sr_ssl_ctx_info_callback(): SSL handshake started ...
And if I first do (1), then also (2) succeeds.
With Firefox, (2) works without (1).
-- Juha
-
Henning Westerholt -
Jeff Bilyk -
Juha Heinanen